Top Nav

Password List Download Best Word List – Most Common Passwords

Last updated: October 9, 2017 | 653,248 views

Password list download below, best word list and most common passwords are super important when it comes to password cracking and recovery, as well as the whole selection of actual leaked password databases you can get from leaks and hacks like Ashley Madison, Sony and more.

Generate your own Password List or Best Word List

There are various powerful tools to help you generate password lists or wordlists for brute forcing based on information gathered such as documents and web pages such as:

These are useful resources that can add unique words that you might not have if your generic lists, using a combination of generated lists, most common passwords and leaked password databases you can generate a very powerful selection of passwords for brute force cracking.

Also, add all the company related words you can and if possible use industry-specific word lists (chemical names for a lab, medical terms for a hospital etc).

And always brute force in the native language. There are some language-specific resources below.

Password List Download Best Word Lists

Although old, one of the most complete word list sets is here (easily downloadable by FTP too):

Thanks for the great compilation of wordlists. I guess most of the really interrested folks have compiled their lists over the past few years. But it never bad to do a diff against these well established ones.

I’m always suprised anything really requiring a password would allow more than a reasonable amount of login attempts.

Of course, that they’d likely set up automated password resets or reminders should the account be locked out in that way, is probably just making another route open to be exploited to gain entry. Guess where else they store password files! Plus it’ll use javascript when it’s not even needed. I’ve gotten fond recently of running javascript-intensive sites through the W3C verifier when they don’t display right on my browser, then sending them e-mails saying do they know their site / page contains 700+ errors in code – that’s a real figure btw, for a site with loads of network security articles…(not this site, in case anyone thinks that’s some sort of dig, it was techrepublic).

A lot of webdesign is taught via using apps like say Dreamweaver or Frontpage (or whatever ones have javascript insert selection buttons, I haven’t used any new editions for ages), the coding isn’t always taught.

Even a simple text-and-some-images (no js) page done in a Frontpage I have here generates a huge amount of code when you look at the code view; so say if it were replaced via ftp there’s a ton of places to hide or just shove some extra lines in.
Of course if that’s noticed then the page would likely be re-replaced again with the intended original, but the point is they probably wouldn’t know how it was altered even if the code was read over.

When looking at web design or any other cookie cutter programming pieces of software there will always be gaps and glitches. Computers are not perfect and never will be.

For people using something like Dreamweaver or Frontpage it seems like the best thing to do if your in a hurry (or just don’t want to hand write the entire website by hand) is to use the program, distribute the code, then go back and hand correct any errors or cut down on the code so its efficient and more secure, then update the site. Although its iffy of when you should do this. It would seem to be ok for jobs that need the site fast but also want it to be safe.

Ok, I have a question. I have been looking everywhere and I cant find a bruteforce list dictionary anywhere! I found a program that will write one (kind of): http://www.governmentsecurity.org/forum/?showtopic=8342 but it takes feakin forever, like 3 wps! it would take years to make a proper dict with say 16 chars, and it only writes how many chars you specify. I need one that will write all possibilities from 1 char to like 16, all possibilities based on a charset, and will write at like 100,000 a sec to make it worth the while. does anyone know or have any idea where to get such a program? Or is there a list already created like this? I know it would have to be HUGE! It wouldnt have to be up to 16 chars in length, I would settle for like 10. Thanks!

You won’t get anything worthwhile anyway from anyone that uses known words as their password. For that other thing, try writing a bash script that uses each character (for however x amount of characters the password is) in combination with all other characters; it’s just maths. That part isn’t the hard bit – the hard bit is getting that to run over a remote connection, as well as actually sending each combo as a login try. You’d have to wrap them up in disguised spoofed packets, from behind a fortess connection, or you get caught and then you die. You Die! You go cracker hell!

I wouldn’t count stealing a paypal users password as worthwhile! Are you going to check first to see if they’re really rich and can afford to lose a few quid? I meant worthwhile in the sense of ‘should you do that or not’ cause bad karma is definitely NOT worthwhile.

Fair enough though about going into other boxes, but it’s still about intent of why you would do that; ‘hacker’ and ‘cracker’ used to be distinct terms and hacker never meant being an online bagsnatcher. Besides for online password cracking you would need to be capturing their login$ beforehand somehow, and that would mean listening in on paypals authentication servers in the above case. You wouldn’t just be able to keep logging in over and over again with each generated password, it’d be noticed someplace secure like paypal.

Well, let me get down to the reason I would like such a file. I am currently looking at WPA wireless hacking, and the only thing I need is a 4-way handshake, and I can work on cracking my way in offline. I have the handshake (very easy to attain), but I think that a much more permenant solution to trying random words would be to use EVERY combination. And I already have a method that will try up to 200,000 possibilties a second. So once your in the network, you can just sit back and watch traffic go by and get all that juicy info you want. But thats not what I want, i’m not that evil. And also, about making a bash script, I dont know the first thing about making one but if you would like to throw one out there that would get the job done that would be awesome. ;)

And oh yeah, I need the possibilities of 6 chars. and up, because WPA passkeys have to be a minimum of 6 chars. I dont even know how many possibilites that is, say for all lower case, uppercase, and 0-9. I used to know the formula to figure that out but its been a long time and I have forgotten. It might not even be a feasible option after getting so far up in character length, like 10 characters, I dont know.

I too forgot how to calculate that, and if I remember correctly from the info I then got – add up all the characters in use, and multiply that number by itself (for a 2-character key; for a third character you use each of the previously generated combos alongside each character again, and so on). But I’m not confident that is correct (that the rule is to merely multiply it – it looks more like you do that first then for each additional character you add on the amount of characters in use), and being maths it’s impossible to look it up unless you’ve studied a lot of maths and know what the terms are for the operations and functions you want to do.
(exactly like network security and computers in general then – you know what you want to look for, but what have they named it?)

Anyways…..isn’t there a WPA cracker built in to one of the well-known wireless apps? I thought aircrack or wireshark did that; maybe not then. I haven’t gotten into that much because I ain’t got anything portable like a laptop.

[ eg for a 20 character set – 1st column = 20 (different characters); 2nd column 1st row = 20; 2nd column 2nd row = 20; 2nd column 3rd row = 20 ……… down to 2nd column 20th row = 20; then the third column is the same as the second column and so on – the amount of columns representing the length of the password – if it’s outputted that way then you have a wordlist of all combos,
so it’s 20 and add 20 twenty times if the password was only 2 characters from a character set of 20.
I’m rubbish at getting rules for these kinds of things, I never really did any maths, I can just see how it would be coded to run – as far as running it being feasible, that just depends on your hardware. But nooo, I don’t have a pre-written script. I don’t think it’d be that difficult to write though. ]

Aircrack is exactly what I am using, but it requires you to provide your own dictionary in a .txt or .pwl, thats why I am going this route. I think that the formula has to do with the factoral if I remember correctly, as how combinations of 6 charaters are there would be 6! (6 factoral) or 6x5x4x3x2x1. but that is if each columb has only one chacter. ie how many combinations of 123456 are there like 234516 and so on. Now how to incorporate that where each place has multiple possibilites, that is the formula I forgot. I think I have some old algebra 2 books around somewhere, I will just have to dig them up and figure all this out so I know if I’m waisting my time or not.

Right sure – there’s no soul audit after you die. You keep banking on that one since you know all about why this reality even exists. Maybe if we crack your hdd encryption it’ll have the Unified Field Theory: Proof on it in its final form. Cause every human culture on the planet, except for one that began very recently, are all wrong about what existence actually is, and it’s your proofless model that sometimes claims to be ‘rationalist’ that is correct, because as we all know so many people have returned from the dead to explain that there’s no need at all to behave properly or to be in any way responsible.
Besides you probably are in hell anyway and you haven’t noticed that yet. You are aware of the kind of timescales and factors you are using there to arrive at the conclusion that there’s no such thing as cause-and-effect in the physical reality of thoughts, emotions, and actions?
What do you think you can do to avoid cause-and-effect: build a time-machine and keep skipping about in time to try to avoid the ripples in this finite pond from converging upon you? Forever?

You’re the one that clearly hasn’t got a clue what you’re gibbering on about, if you think you can keep on logging in to a place like paypal in realtime, over and over again trying different passwords until you get the right one. Do you realise how many back-and-forths they do per each submitted password? And how obvious it is in terms of timings if you are submitting many logins in an automated way?

How exactly do you intend to get the password a user types in unless you are capturing the data they are sending to be logged in as? Other methods of getting passwords are OTHER METHODS and don’t require being bruted online at any point.

Got_WEP: Such a script would work in perl also, if you know that.

I reckon it already exists someplace, it’s kind of like a skeleton key that is hardware dependent – for any given character-set and password length it can generate all possibilities.

So you can either have prepared files of character sets or enter the used characters in manually, and the process would build up tables that are then used as the wordlists (which you input into the cracker apps / exes / etc).
So if it’s A-Z a-z 0-9 (length=2) then you need to tell it to do a column for each of those, and then alongside each you tell it to put all the other characters. eg 61 instances of A paired with every other used character, 61 instances of B paired with every other used character, and so on.
Then you’ve generated all combos when the length=2, so to add in for length=3 it’s the same process: you just add to the end of each 2-length column the third character (and again you need to insert all possible characters in that third column – per each of the 2-length column combos).
So that would build up a list of every possible combo, for the given character set.

The other part, is separate, the part where you want to be able to use the wordlist in. Where you can ignore certain strings and have it only run through combos that have a particular character in a particular place, and all that.

I wonder how long the likes of the Roadrunner would take to generate all combos of an a-zA-Z0-9 up to say 256 length password…….I suppose it depends on what it’s coded in and how the hw is doing those calculations. Must be fast though, even on mismatched hw-languages.

So that’s what you were talking about here with all that rainbow tables stuff, I thought those were about IP configs (ie – having tables of ranges to be scanned and IPs you use for various testing scenarios). As usual, something I’ve thought right through has a weird inappropriate name and is known as something else entirely.

What dee hell is a ‘salted hash’? I’m guessing it doesn’t come with NaCl sprinkled on it.

I know a lot of encryption systems say they are irreversible, I’m not so sure that’s true (ie: actually possible, although they are ‘practically’ irreversible). Is it really feasible to do anything to a number that cannot be done in reverse……maybe what they mean is that when an encrypt is being done based upon previously obtained values, and then also has some kind of randomisation of data thrown in, it’s harder to break because even if you know what the encryption standard in use is – you’re having to backwards calculate a value to fit whatever round of the encryption standard deals with that phase, hence there could be many possibilities and you then have to backwards calculate each of those also.

(there’s a certain cartoony funny quality to all this though, given that if you have an all-possibilities wordlist and an appropriate bruter (and the hw) then the ‘game’ is up, and everyone has to rely on constantly changing morphing encrypts. At least, that’s how it looks to me anyway when I’m reading through the great lengths and amount of phases that go into generating what turns out to be the usual – a keyword that unlocks the encrypted data or communication.)

Ok, time to update my earlier postings regarding finding or creating a brute force word list, and let you all know what I figured out on the subject.

So it turns out that I came across my answer while studying to take CompTIA’s security plus exam. According to the security + book, the answer is based on exponential factors. I will quote the passage:

“Passwords should be as long and as complicated as possible. Most security experts believe a password of 10 characters is the minimum that should be used if security is a real concern. If you use only the lower case letters of the alphabet, you have 26 characters with which to work. If you add the numeric values 0 through 9, you’ll get another 10 characters. If you go one step further and add the uppercase letters, you’ll then have an additional 26 characters, giving you a total of 62 characters with which to construct a password.

If you use a four-character password, this would be 62x62x62x62, or approximately 14 million password possibilities. If you use five characters in your password, this would give you 62 to the fifth power, or approximately 92 million password possibilities. If you used a 10-character password, this would give you 64 to the tenth power, or 8.3 x 10^6 (a very big number) possibilities. As you can see, these numbers increase exponentially with each position added to the password. The four-digit password could probably be broken in a day, while the 10-digit password would take a millennium to break given current processing power.
If your password used only the 26 lowercase letters from the alphabet, the four-digit password would have 26 the the fourth powe, or 456,000 password combinations. A five-character password would have 26 to the fifth power, or 11 million, and a 10-character password would have 26 to the tenth power, or 1.4 x 10^15. This is still a big number, but it would take only half a millennium to break it.”

So in my situation if i were to create a brute force word list that only covered the MINIMUM number of characters required in a WPA key, the possiblities would be 62^6, or 56,800,235,584 words in my word list. And that does not included nonalpabetic characters such as #,$, and %.
Oh well, i guess i will just stick with really large random password lists.

D’you mean that because the encryption method is known, and the character set in use is known, that the password hashes having been aquired (because where those are stored – is also known) coupled with some background info on who the passwords belong to (eg – their username), makes it easier to ‘guess’ a range of potentials?
That sounds like a lot of on-site recce though. Either that or you’d have to have gotten into the system anyway, to be able to get the password hashes! So while you’re in there, you could have easily made an admin account (and then some) – so then you don’t need anyone’s passwords…

(I get that there are those easily-guessable words that are likely to be used, and during any security testing you’d obviously have to emulate what any attacker would bruteforce with; then it’s a case of ‘well we found 20 people using these insecure passwords, so you’ll have to have those changed and inform them not to use such things’)

I still think that the actual generation of all possible combos is possible realistically with some more recent hardware (eg – a couple of overclocked CPUs and say 3 GPUs in SLi), but again those combos still have to be entered-in – offline that’s fairly easy, as automatic login scripts exist even if you don’t know what to write them in yourself, but online in realtime it’s obviously much more difficult to pull off. But given an anonymous high-bandwidth link to the machine the access is wanted to, it’s still in the realms of possibility, and getting more possible day by day. Even a botnet could be busy processing away for that purpose.

re: the first paragraph I wrote just there – fair enough, maybe some people want a password for an account so they can use that account as un-noticed as possible, and they wouldn’t want to make an admin or root account to do things with. But I still don’t see how that process would be any less noticable than an extra account – unless they aren’t going to do anything using the cracked account. Cause as soon as they do anything shady – it’s likely to show up, then they are locked out again anyway when the admins realise someone’s legit account is compromised.

Anything stealthy where you wouldn’t want what you’re doing to show up, hence the preference to have access to existing accounts; again – you don’t need to go to all that bother to install a rootkit or similar (the bother of having to get the hashes to begin with, etc, which means that you must have been in the system already).